From 1107419d590a2b18a2142c7da3c815a46e1d786a Mon Sep 17 00:00:00 2001 From: fred-vogt-dod Date: Mon, 17 Oct 2022 13:09:19 -0700 Subject: [PATCH 1/4] Allow for configurable MOTD --- amazon-eks-al2.pkr.hcl | 4 ++++ scripts/cis-benchmark.sh | 35 ++++------------------------------- variables.pkr.hcl | 15 +++++++++++++++ 3 files changed, 23 insertions(+), 31 deletions(-) diff --git a/amazon-eks-al2.pkr.hcl b/amazon-eks-al2.pkr.hcl index fc6dd8e..5c24e4a 100644 --- a/amazon-eks-al2.pkr.hcl +++ b/amazon-eks-al2.pkr.hcl @@ -142,6 +142,10 @@ build { provisioner "shell" { execute_command = "echo 'packer' | {{ .Vars }} sudo -S -E bash -eux '{{ .Path }}'" + env = { + MOTD_CONTENT = var.motd_content + } + scripts = [ "scripts/cis-benchmark.sh", "scripts/cis-docker.sh", diff --git a/scripts/cis-benchmark.sh b/scripts/cis-benchmark.sh index 62071eb..a86f5f4 100755 --- a/scripts/cis-benchmark.sh +++ b/scripts/cis-benchmark.sh @@ -200,43 +200,16 @@ sed -i 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config echo "1.7.1.1 - ensure message of the day is configured properly" rm -f /etc/cron.d/update-motd -cat > /etc/update-motd.d/30-banner <<"OUTEREOF" +cat > /etc/update-motd.d/30-banner < /etc/issue < /etc/issue <<< "$MOTD_CONTENT" echo "1.7.1.3 - ensure remote login warning banner is configured properly" -cat > /etc/issue.net < /etc/issue.net <<< "$MOTD_CONTENT" echo "1.7.1.4 - ensure permissions on /etc/motd are configured" chown root:root /etc/motd diff --git a/variables.pkr.hcl b/variables.pkr.hcl index fa8254e..246e675 100644 --- a/variables.pkr.hcl +++ b/variables.pkr.hcl @@ -172,3 +172,18 @@ variable "snapshot_users" { type = list(string) default = [] } + +variable "motd_content" { + description = "Message Of The Day (MOTD) banner content." + type = string + default = < Date: Tue, 1 Nov 2022 13:07:00 -0700 Subject: [PATCH 2/4] /etc/docker/daemon.json - updates --- scripts/cis-docker.sh | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/scripts/cis-docker.sh b/scripts/cis-docker.sh index c07d78e..f823e3d 100755 --- a/scripts/cis-docker.sh +++ b/scripts/cis-docker.sh @@ -49,11 +49,10 @@ echo "2.1 - 2.17 - ensure the docker configuration is secure" cat > /etc/docker/daemon.json < /etc/docker/daemon.json < Date: Thu, 3 Nov 2022 10:55:04 -0700 Subject: [PATCH 3/4] /etc/kubernetes/kubelet/kubelet-config.json - updates --- scripts/cis-eks.sh | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/scripts/cis-eks.sh b/scripts/cis-eks.sh index 766301a..fd49fd9 100755 --- a/scripts/cis-eks.sh +++ b/scripts/cis-eks.sh @@ -58,10 +58,31 @@ cat > /etc/kubernetes/kubelet/kubelet-config.json < 1.20 +KUBERNETES_VERSION=$(/usr/bin/kubelet --version | sed -E -e 's!^Kubernetes v([0-9]\.[0-9]+).[0-9]+-.*$!\1!') + +# Inject CSIServiceAccountToken feature gate to kubelet config if kubernetes version starts with 1.20. +# This is only injected for 1.20 since CSIServiceAccountToken will be moved to beta starting 1.21. +if [[ $KUBERNETES_VERSION == "1.20" ]]; then + KUBELET_CONFIG_WITH_CSI_SERVICE_ACCOUNT_TOKEN_ENABLED=$(cat "/etc/kubernetes/kubelet/kubelet-config.json" | jq '.featureGates += {CSIServiceAccountToken: true}') + echo $KUBELET_CONFIG_WITH_CSI_SERVICE_ACCOUNT_TOKEN_ENABLED > "/etc/kubernetes/kubelet/kubelet-config.json" +fi From 3b694c2e3c4b5644021b60b94a26f280b93ae137 Mon Sep 17 00:00:00 2001 From: fred-vogt-dod Date: Thu, 10 Nov 2022 12:04:53 -0800 Subject: [PATCH 4/4] sysctl updates --- scripts/cis-benchmark.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/cis-benchmark.sh b/scripts/cis-benchmark.sh index a86f5f4..df70ecb 100755 --- a/scripts/cis-benchmark.sh +++ b/scripts/cis-benchmark.sh @@ -300,8 +300,10 @@ echo "2.2.4 - ensure LDAP client is not installed" yum_remove openldap-clients echo "3.1.1 - ensure IP forwarding is disabled" -sysctl_entry "net.ipv4.ip_forward = 0" -sysctl_entry "net.ipv6.conf.all.forwarding = 0" +# Required for working container networking +# sysctl_entry "net.ipv4.ip_forward = 0" +# sysctl_entry "net.ipv4.conf.all.forwarding = 0" +# sysctl_entry "net.ipv6.conf.all.forwarding = 0" echo "3.1.2 - ensure packet redirect sending is disabled" sysctl_entry "net.ipv4.conf.all.send_redirects = 0"